then telling my scripts to use port 1081 for mysql connections worked. This netstat command shows me im accepting connections fine on the local side but the same check on the remote machine the one with the actual mysql server is not listening in on 1081 at all, which wasn't the case before

I checked sshd_config which seems to allow tunnelling, that is no config change.
I also tried opening a tunnel to another server on my network and that's also not working, is my command crap or something? Tried with various combinations of -f -T

2 Answers
2

I have drawn some sketches

The machine, where the ssh tunnel command is typed is called »your host«.

Introduction

local: -L Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

ssh -L sourcePort:forwardToHost:onPort connectToHost means: connect with ssh to connectToHost, and forward all connection attempts to the localsourcePort to port onPort on the machine called forwardToHost, which can be reached from the connectToHost machine.

remote: -R Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.

ssh -R sourcePort:forwardToHost:onPort connectToHost means: connect with ssh to connectToHost, and forward all connection attempts to the remotesourcePort to port onPort on the machine called forwardToHost, which can be reached from your local machine.

Additional options

-f tells ssh to background itself after it authenticates, so you don't have to sit around running something on the remote server for the tunnel to remain alive.

-N says that you want an SSH connection, but you don't actually want to run any remote commands. If all you're creating is a tunnel, then including this option saves resources.

-T disables pseudo-tty allocation, which is appropriate because you're not trying to create an interactive shell.

Your example

The first image represents your case. If you do

ssh -L 1081:localhost:3306 remotehost

all connection attempts to the green port 1081 are forwarded through the ssh tunnel to the pink port 3306 on the remotehost’s localhost, i.e. the remotehost itself.

Now your php scripts can access your database via localhost:1081. But the netstat command on your remotehost can’t find anything listening at 1081 (at least not as a result of the tunnel).
Because the pink port isn’t a listening port created by ssh, but the target of the forwarding. And it is not forwarding to port 1081 but to 3306.

Is your db server really listening on port 3306 or possibly on port 1081? If the latter is true, then your command should be changed to look like this:

ssh -L 1081:localhost:1081 remotehost

If your database listens on port 1081 you should find it with netstat (independently of ssh).

You wouldn't expect the remote side to be listening on port 1081. You're asking the tunnel to connect to port 3306 on the remote side, and this is mysql's default port. It might be worth checking that it is actually listening on that port. Alternatively, if you actually want to use port 1081 on both sides, substitute your -L option with -L1081:localhost:1081.